[MEDIUM] Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag

PKSA-ffqw-wkbr-m6bg CVE-2026-33883 GHSA-3jg4-p23x-p4qx

Affected package: statamic/cms

Affected version: >=6.0.0-alpha.1,<6.7.2|<5.73.16

Reported by:
GitHub